Talos Vulnerability Report

TALOS-2018-0600

July 10, 2018

CVE Number

CVE-2018-3933

Summary

An exploitable out-of-bounds write exists in the Microsoft Word document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312).
A crafted Microsoft Word (DOC) document can lead to an out-of-bounds write, resulting in remote code execution. This vulnerability occurs in the vbputanld method.

Tested Versions

Product URLs

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-121: Stack-based Buffer Overflow

Details

This vulnerability is present in the Antenna House Office Server Document Converter, which is used as a document converter in many server enterprise solutions.
It can convert common formats such as Microsoft's document formats into more usable and easily viewed formats.
There is a vulnerability in the conversion process of a DOC to PDF, JPEG and several other formats. A specially crafted Microsoft Word file can lead to a stack-based buffer overflow and remote code execution.
Let’s investigate this vulnerability. After we attempt to convert a malicious Microsoft Word document using the OSDC library we see the following state:

As we can see, a stack-based buffer overflow appeared inside the vbputanld function, overwriting the return address.
Let's take a look at the most important parts of a pseudo code representation of the vbputanld function:

At lines 13-28 we see a while loop controlled by the _amountBYTE variable. The value of the _amountBYTE variable is read directly from the file at line 4, so the while loop stays under full control of the attacker.
Each time the while loop is executed, it reads eight bytes from the file into localBuffer (lines 16 and 18). After calculations, it turns out that the localBuffer array has allocated around 80 bytes on the stack.
It's easy to calculate that for _amountBYTE with a value bigger than 10, we will start reading another portion of data from the file outside of the localBuffer array bounds.
This means that attackers fully control the amount of the bytes used for the overflow and their content.
In those circumstances, attackers, using a properly malformed Microsoft Word document, can overwrite the function return address and turn that into remote code execution.